Facing the future: What the introduction of Face ID means for corporate security
Facing the future: What the introduction of Face ID means for corporate security

With more than 1.2 billion iPhones sold worldwide,[1] when Apple introduces a new security feature, it's no exaggeration to say that it will impact the global cyber-security industry. The introduction of Face ID last year was a clear example of this, as it brought a brand-new form of biometric technology to the masses. It also represented a big step in the right direction for the wider biometric authentication industry, which has a bright future ahead. 


Consumer technology takes the lead in securing our digital identities


The technology that powers Face ID is remarkably strong, with several factors in its underlying engineering that serve to make it a powerful development. Face ID doesn't utilise conventional everyday camera images, which are easily open to manipulation or “spoofing”. It instead uses a unique configuration of sensors, cameras, and more than 30,000 infrared dots called ‘True Depth' to build a map of an individual's face. Though Touch ID could proudly boast of a 1 in 50,000 false unlock rate, Face ID can claim a much improved 1 in 1,000,000 rate of error.


Face ID also mimics what users would tend to do naturally when picking up their device, authenticating the device as they glance at the screen. This is vital, since cumbersome security methods – however technologically brilliant – are far more likely to be bypassed or turned off entirely. Face ID seems to represent the best of both worlds – demonstrating that digital security can be effective and effortless.


In a time when cyber-threats have been at an all-time high, and identity and authentication tops the list of security priorities for enterprises, the progress of biometric tools (like Face ID, for example) couldn't be more timely. The popularisation of Face ID and other similar solutions will soon create a drive from employees to have access to similar solutions in the workplace.


Can biometrics solve our enterprise identity crisis?


Some 81 percent of hacking-related breaches leverage either stolen or weak passwords, rendering identity an extremely common attack vector in corporate breaches.[2] This makes the development of user-friendly and frictionless security vital to all organisations. However, when it comes authentication, organisations are always faced with a dilemma: how can they achieve the perfect balance between convenience and security? How can you protect what matters most to the business without adding layers of cumbersome authentication, and complex, impractical passwords? With biometric authentication, the user becomes quite literally their own password – one that cannot be forgotten or misplaced. Using the body itself as means of authentication allows for high standards of security to be upheld, while remaining practical and intuitive.


But don't expect biometrics to be a silver bullet. Despite the numerous benefits which biometric authentication brings, no single type of authentication should be used in isolation. No individual authentication method is infallible, and hackers will almost always find new ways to break it – in fact we are already seeing instances of biometrics being stolen. No matter how unique the form of ID generated might be, there is always the possibility that a hacker could figure out how to steal the digital ‘signature' generated and replicate it in some form that can spoof the system.


Context is the key to bringing biometrics to the enterprise


For maximum security, biometric authentication should be used in combination with other forms of authentication. Context is a vital component that can help organisations really ascertain that a person logging into critical systems is who they say they are and that they have the right to do so. It is important to take a business-driven approach to security – this means understanding what functions your employees have within the business, what type of data they need to have access to, where they are likely to be working from, and so on. Having this context as to the business role will help to identify when anything out of the ordinary is happening.


Not only that, but smart devices can be a key source of important information. If an employee's smartphone tells you they're currently in London, but they suddenly attempt to log in from somewhere thousands of miles away, you have a good indicator that something is amiss. This is why biometrics should still be used with two-factor authentication, such as: physical location data, user behaviour patterns, or even a simple PIN code.


Taking a business-driven approach to identity


There are rich possibilities for biometric authentication in the near-future. For example, biometric authentication centred around cardiac scanning has recently been in development.[3] As everyone's heart is completely unique, this provides another potential route to establishing a unique form of ID. Such developments may sound like the stuff of sci-fi fantasy, but they may be commonplace in the enterprise in the next decade. Savvy businesses will be watching the consumer world to understand what types of technologies will provide a value-add to their organisation, and we see biometrics opening up a variety of options that we have never even thought of yet.


However, it is important to recognise that Face ID and the like will not provide a miracle cure for all our security worries. No innovation, however great, is sufficient to safeguard the future of you or your company. No sooner than new security tools are created, cyber-criminals will surely set to work on trying to break them. Organisations still need to take a business-driven approach to security, assessing which technologies will provide that right balance of security and convenience. The benefits of biometrics are undeniable; for every additional layer of authentication added, your chances of being comprised become lower. Yet strength should not be confused with infallibility. By acknowledging that systems will always run some risk of being compromised, then enterprise can build stronger systems with checks and balances that can help to mitigate that risk.


Contributed by Jim Ducharme, VP of identity products, RSA Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.